security evaluation of light-weight block ciphers by gpgpu

Advanced Computing: An International Journal (ACIJ), Vol.7, No.3, May 2016

DOI:10.5121/acij.2016.7301 1

SECURITY EVALUATION OF LIGHT-WEIGHT BLOCK CIPHERS BY GPGPU Haruhisa Kosuge, Hidema Tanaka National Defense Academy of Japan, Yokosuka, Japan ABSTRACT Nowadays, general purpose graphical processing unit (GPGPU) has been used in many ares. We use it for security evaluation of light-weight block ciphers. Light-weight block cipher is one of key technologies for small communication devices such as sensor network. To design a light-weight block cipher whose fastness and security are balanced, so that, its security margin should be evaluated exactly. One of security evalua-tion method, we focus on integral attack which exploits integral distinguisher to recover some round keys. Integral distinguisher is the main factor of integral attack, and it can be obtained by computer experiment. We use GPGPU to accelerate computer experiment. We propose an algorithm to search for upper bound of integral distinguisher by GPGPU. There are theoretical and experimental steps. We specify lower order integral distinguisher from upper bound one in the theoretical step. Such integral distinguisher is tested by computer experiment in the experimental step. By applying the proposal algorithm to HIGHT, TWINE, LBlock, PRESENT and RECTANGLE, we obtain more advantageous results. KEYWORDS GPGPU,Chosen plaintext attack, Light-weight block cipher, Integral attack 1. INTRODUCTION General-purpose graphical processing unit (GPGPU) is a technology to adapt GPU for general purpose computings. GPGPU is used in various fields and it enables us to solve problems which take long time in ordinary platforms. As one of the usage of GPGPU, we consider security evalu-ation of light-weight block ciphers. There has been a growing interest in light-weight block cipher which is a key technology to ensure security of communications among small devices such as sensor network and RFID. In ISO/IEC 29192-2, it is being standardized and PRESENT [1] and CLEFIA [2] have already been adopted. In addition, some of light-weight block ciphers are proposed, for example, HIGHT [3], KLEIN [4], LBlock [5], Piccolo [6], LED [7], TWINE [8], SIMON/SPECK [9] RECTANGLE [10] and so on. On the design of light-weight block ciphers, designers must consider trade-off between fastness and security. In order to design fast and secure cipher, security margin of block ciphers must be exactly determined. Therefore, security evaluation methods should be established, and we focus on integral attack which is a necessary tool for evaluation of block ciphers. Note that 64-bit block ciphers are in our scope, since they are common among light-weight block ciphers. Integral attack is one of the major chosen plaintext attacks against block ciphers. The attack was firstly proposed as SQUARE attack by Daemon et al. [11], and then it was formalized as integral attack by Knudsen et al [12]. Recently, it has been drawing intense research interest because of its effectiveness and broad utility. Especially, full rounds attack on MISTY1 [13] by Todo shows outstanding effectiveness of integral attack [14].


2

Integral distinguisher is a property obtained by a set of chosen plaintexts, and the attackers can recover some round keys by using it. It is obtained by 2n chosen plaintexts, where n (1 _ n _ 63) is the order of integral distinguisher and we call such one as n-th order integral distinguisher. A set of 2n chosen plaintexts is encrypted for multiple rounds to make a set of outputs. An integrated value of the set of outputs is calculated. If there exist bits which are always 0 in such integrated value, we can define integral distinguisher. We call such bits as balanced bits. The number of rounds which balanced bits exist and one of balanced bits are parameters to indicate advantage for the attackers. We can obtain distinguisher which holds in additional rounds by increasing the order [12]. Therefore, upper bound of integral distinguisher is 63rd order. Upper bound of integral distin-guisher is necessary for deciding security margin of ciphers. Hence, the overall goal of this paper is to search for 63rd order integral distinguisher. There are two types of search methods for integral distinguisher, computer experiment and the-oretical search. Although there is a restriction in computer resource, we can execute computer experiment in any block ciphers. On the other hand, we can obtain upper bound of integral distin-guisher in theoretical search, since there is not such restriction. However, there is a restriction in applicable cipher function and there can be a mismatch between theoretical result and computa-tional one. This paper focuses on search method using computer experiment and aims to improve it. Computer experiment is very effective and easy to apply when the block length is short such as SIMON32 [9][15]. We can obtain the upper bound of integral distinguisher by 31st order in-tegral distinguisher, and their computer experiments can be executed in realistic times. However, 63rd order integral distinguisher itself can not be obtained by computer experiment. Therefore, we propose a new technique to achieve it. Also, we accelerate computer experiment by using GPGPU. 2. PRELIMINARY 2.1. NOTATIONS We use the notations shown in Table 1. 2.2. INTEGRAL DISTINGUISHER Integral distinguisher depends on input condition which is defined by variable bits. When the attackers chooses n bits as variable, he needs to prepare 2n chosen plaintexts. We call n as order and such integral distinguisher as n-th order integral distinguisher. In 2n plaintexts, a concatenation of variable bits takes every element of Fn2 and one of constant bits takes a constant value. A set of chosen plaintexts satisfies

where v0jjv1jj:::jjvn 1 denotes a concatenation of variable bits, and c0jjc1jj:::jjcN n 1 a concatenation of constant bits. Let A be an index set of variable bits, and a set of chosen plaintexts defined by A is In the following, we denote input condition by XA. Let Eγ be γ rounds cipher function and Kγ be a set of round keys used from first to γ-th round


3

encryption. Integration of input condition XA is defined as follows.

Where ⊕ denotes XOR summation.If there exist at least one bit which is always 0 in ∫ XA for any values of constant subblocks and round keys, we can define integral distinguisher. We call such

bits as balansed bits, and we define output property using them. Let B be an index set of balanced bits and integrated value denoted by B is YB ∈ F264 . We define integral distinguisher by XA →γ YB. It denotes that an integrated value has output property YB when a set of chosen plaintexts defined by input condition XA is encrypted for γ rounds. Due to the limited space, we omit the integral attack scenario using integral distinguisher, and typical case is shown in [16]. 2.3. PROPERTY OF INTEGRAL DISTINGUISHER Focusing on output property YB, it is obtained by multiple input conditions. We call such property as inclusive relation which holds among multiple input conditions, and we define it as follows.


4


5

2.4. BIJECTIVE CHARACTERISTICS OF PARTIAL FUNCTIONS In a round function, there may be bijective partial functions. Integral distinguisher is searched by exploiting such characteristics. In this paper, we define two bijective functions F(·) and ϕ(·), and show them in Fig.1.

3. CONVENTIONAL ALGORITHM Knudsen et al. formalized integral attack for applying mainly to block ciphers in which all operations are executed in m-bit unit (subblock). We call the algorithm as conventional algorithm. It is divided into two steps. The first step is a search algorithm for m-th order integral distinguisher. The second step is an algorithm to extend m-th order integral distinguisher to higher order one which holds in additional rounds (extension algorithm). Due to the limited space, we omit the first step, and typical case is shown in[17]. Integral distinguisher can be extended by using inclusive relation (Sec.2.3) and bijective characteristics of partial functions (Sec.2.4). We demonstrate extension algorithm in Sec.3.5 and show a problem of it in Sec.3.6.


6

3.1. EXTENSION ALGORITHM We demonstrate the extension algorithm in 128-bit block cipher CLEFIA[2]. Suppose that following 32nd order integral distinguisher is known (first step).

3.2. PROBLEM OF CONVENTIONAL ALGORITHM In the conventional algorithm, upper bound of integral distinguisher is obtained as an extension of m-th order one. However, upper bound of integral distinguisher includes many other integral distinguisher than m-th order one. For example, Shibayama et al. showed 12th order integral distinguisher found by computer experiment and its extension in TWINE [18].

On the other hand, following 4th order integral distinguisher and its extension are obtained in the conventional algorithm.


7

Comparing Eq.(10) with Eq.(11), the number of balanced bits increases in Eq.(10). In this way, upper bound of integral distinguisher can not be obtained if we do not consider other integral distinguisher than m-th order one. Therefore, we conclude that the conventional algorithm is not appropriate in searching for upper bound of integral distinguisher. 4. PROPOSAL ALGORITHM In the proposal algorithm, we obtain upper bound of integral distinguisher by executing computer experiment effectively. First, we obtain an input condition with lower order from one with 63rd order (theoretical step). Next, we execute computer experiment in such input condition (experi-mental step). From the above results, we can obtain upper bound of integral distinguisher. We show the outline in Sec.4.7 and the procedure in Sec.4.8. 4.1. OUTLINE OF PROPOSAL ALGORITHM We consider an input condition with 63rd order as start point, and let XA0 be such input condition (jA0j = 63). When we input XA0 to E1, we consider new input condition in a set of such outputs. Let XA1 (jA0 j = jA1j = 63) be such input condition, and it satisfies XA0 ⋑ X1A1 (see Definition 1). If we can not obtain such input condition, we define new input condition XA′0 , s.t., XA0 ⋑ XA′0 and obtain XA1 , s.t., XA′0 ⋑ X1A1 . We repeat the above procedure to obtain input condition in which we can execute computer experiment in realistic time.

We divide E1 into bijective partial functions such as F(.) and ϕ(.). First, we consider the function F(.). When all input bits to F(.) are variable, we can regard all output bits as variable, since all elements of Fm2 are outputted without multiplicity. Otherwise, we assume that all input bits are constant. Then, all output bits of F(.) become constant and this partial function does not influence the whole integral distinguisher. We call such variable bits assumed to be constant as redundant variable bits.

Next, we consider the function ϕ(.). Since all input bits to ϕ(.) are variable, we can regard all output bits as variable. Also, we consider the function ϕ′(.) defined by Eq.(6). If x0 is constant and x1 is variable, all elements of Fm2 are outputted without multiplicity in x1′. Therefore, variable bits in x0 become redundant variable bits when x1 includes only variable and x0 includes both variable and constant bits. Also, all variable bits become redundant variable bits when x1 includes both variable and constant bits. We summarize the above procedures in Algorithm 1.

Applying each function of Algorithm 1 to input condition XA0 , we can obtain XA′0 , s.t., XA0 ⋑ XA′0 . Then, we obtain XA1 , s.t., XA′0 ⋑ X1A1 by considering positions of input and output bits of these partial functions. Repeating the above procedure, the order decreases gradually. If the order becomes one which is executable in realistic time (about a month) by computer experiment , we end the repetition.

In input condition obtained in the theoretical step, we execute computer experiment in the ex-perimental step. At the experiment, we have to determine the number of times to execute computer experiment in the same input condition. As mentioned in Sec.2.2, integral distinguisher holds for any values of constant bits in input and round keys. By repeating computer experiment by chang-ing constant values, we can eliminate unbalanced bits which become 0 ( false balanced bits). In integrated values, false balanced bits become 0 with probability 2 1. To distinguish false balanced bits with true ones, we execute computer experiment for 10 times by choosing random values for constant bits and round keys (false probability is 2 10).


8

Suppose we obtain XA0 ⋑ Xγ′ A′ t in the theoretical step and X A′ t →γ YB in the experimental step. From Property 2, we can obtain upper bound of integral distinguisher XA0 →γ+γ′ YB. 4.2. PROCEDURE OF PROPOSAL ALGORITHM We show the whole procedure in Algorithm 2. A function LowerOrderSearch is the theoretical step and we call Algorithm 3. Another function Experiment is the experimental step and we call Algorithm 4. In the following, we explain them respectively. 4.2.1. MAIN ROUTINE


9

4.2.2. THEORETICAL STEP

While the order is more than nt, we repeat the routine. The order is gradually reduced, and we

obtain an input integral whose order is less than or equal to nt. By the above repetition, the order decreases and output At, s.t.,|At|≤nt.

4.2.3. EXPERIMENTAL STEP


10

4.3. COMPARISON WITH CONVENTIONAL ALGORITHM The conventional algorithm has a problem shown in Sec.3.2, since upper bound of integral distin-guisher is obtained as extension of m-th order one. On the other hand, we obtain it using relatively higher order integral distinguisher. The input condition with relatively higher order includes many input conditions including one of m-th order. Therefore, we can obtain upper bound of integral distinguisher which considers many integral distinguisher.

In addition, we can apply the proposal algorithm to any block ciphers. Hence, the proposal

algorithm is more effective and versatile algorithm to search for upper bound of integral distinguisher. 5. ACCELERATION OF COMPUTER EXPERIMENT BY GPGPU The more we can accelerate the experiment, the bigger nt we can take in Algorithm 2. Table 2 shows a specification of our GPGPU environment. In the implementation of block ciphers in GPGPU, we consider three parameters needed for acceleration in Sec.5.1. In Sec.5.2, we execute computer experiment in HIGHT [3], LBlock [5], TWINE [8], PRESENT [1] and RECTANGLE


11

[10] and show their execution times. 5.1. IMPROVEMENT OF IMPLEMENTATION We consider three parameters needed for acceleration of experiment. Parameter 1: the number of threads for 2n times encryptions.

Parameter 2: the number of plaintexts simultaneously encrypted in a thread. Parameter 3: the number of S-boxes for optimization of lookup tables (LUT).

Parameter 1 is the number of threads. In CUDA complier, we can set the number of threads. Also, multiple threads share memories in a block called thread-block. In the experiment platform shown in Table 2, we can set 1; 024 threads in a thread-block at most. Therefore, we set 1; 024 threads in each thread-block. We determine the optimal number of thread-blocks by measuring execution times needed for 232 times encryptions. To measure execution times, we use a round function of TWINE [8]. And the number of thread-blocks is doubled for each time, since 232 must be divisible. Table 5 shows execution times for each number of thread-blocks. From 1 to 210, execution time is shortened, however, it is unchanged after 211. Since the number of thread-blocks is saturated in 210, we determine the total number of threads as 210 210 = 220.


12

Parameter 2 is the number of plaintexts simultaneously encrypted in each thread. It is possible

to accelerate by combining multiple plaintexts into one data and encrypt this data at one time in each thread. Fig.3 illustrates an example that 2 plaintexts are combined into one date in each thread. If d plaintexts are combined, the number of encryptions in one thread becomes ⌈2nt 20=d⌉ (⌈ ⌉ ceiling function). We use a characteristic of processors that processing time does not increase

in proportion to the number of processing bits. For example, LUT of 8-bit S-box does not require twice as long time as one of 4-bit S-box.

Parameter 3 is the number of S-boxes for optimization of LUT. Since LUT directly influence the whole execution time, the optimal memory arrangement of S-boxes is important. We use two types of memories; register and shared memory. The register is a memory for a thread, and it has lowest latency in memory access. The shared memory is a memory shared in a thread-block. Although the register is smaller than shared memory, we use it as much as possible for acceleration. However, S-boxes have so much capacity that can not be arranged in the register. Therefore, we should store them in the shared memory. Since a memory for a S-box is accessed by multiple threads, resource contention occurs frequently and latency increases. In this paper, we arrange some duplicated S-boxes in each shared memory to mitigate resource contention. However, latency increases by using shared memory too much for S-boxes. Considering such trade-off, we determine the optimal number of S-boxes by executing computer experiment.

In Table 4, we summarize the optimal numbers of Parameter 2 and 3 in HIGHT, LBlock, TWINE, PRESENT and RECTANGLE. 5.2. EXECUTION TIME OF EXPERIMENT By considering three parameters shown in Sec.5.1, we execute computer experiment in HIGHT, LBlock, TWINE, PRESENT and RECTANGLE. Table 5 shows times to execute 240 times encryp-tions based on Algorithm 4. Note that we use full rounds cipher function. Since the numbers of rounds are different, we calculate execution times per a round. As for Fesitel structures (HIGHT, LBlock and TWINE), similar execution times are measured.

As for SPN structures (PRESENT and RECTANGLE), RECTANGLE is much faster than PRESENT. As mentioned in [19], PRESENT is not suitable for software implementation. Also, RECTANGLE can be accelerated by using special implementation shown in [10]. S-box operation of RECTANGLE is replaced with AND, OR and XOR operations among 16-bit data.


13

Let t40 be an execution time of a round function in 40th order shown in Table 5. Actual execution time to test nt-th order input integral with γ rounds cipher function is approximately calculated as t40 ×γ×2nt−40 ×10[sec]. In PRESENT, it takes 123 days to execute computer experiment in input condition with 48-th order. However, we use 5 GPGPU machines in our experiment platform, so

Table 7: Results of HIGHT, LBlock, TWINE, PRESENT and RECTANGLE by the proposal algorithm.

that, we can reduce it to one fifth. Therefore, we can execute computer experiment in 48th order within a month in all of 5 block ciphers. 6. APPLICATIONS OF PROPOSAL ALGORITHM We apply the proposal algorithm to light-weight block ciphers, HIGHT [3], LBlock [5], TWINE [8], PRESENT [1] and RECTANGLE [10]. Due to the limited space, we omit the details of each cipher. At first, we summarize previous results in Table 6. We only show the results which are the most advantageous for the attackers. In other word, they are integral distinguisher whose number of rounds and balanced bits are the most. By application of the proposal algorithm, we obtain results shown in Table 7. The same as Table 6, we only show the most advantageous ones for the attackers. Underlined parameters are ones which are advanced from the previous results. In the following, we show the detail of the results, respectively. HIGHT: Zheng et al. showed following 56th order integral distinguisher [20].

Based on the conventional algorithm, these results are obtained as extensions of 8th order integral distinguisher. On the other hand, we obtain following results by the proposal algorithm.

These results are almost the same as the previous result (Eq.(12)). LBlock: Shibayama et al. showed following 60th order integral distinguisher [21].


14

These results are obtained as extensions of 12th order integral distinguisher searched by computer experiment. On the other hand, we obtain following results by the proposal algorithm.

The number of balanced bits is increased from 24 to 32 compared with the previous results (Eq.(14)). TWINE Shibayama et al. showed following 60th order integral distinguisher [18].

These results are obtained as extensions of 12th order integral distinguisher searched by computer experiment. On the other hand, we obtain following results by the proposal algorithm.

As same as LBlock, the number of balanced bits is increased from 24 to 32 compared with the previous results (Eq.(16)). PRESENT: Wu et al. showed following 16th order integral distinguisher [22].

The result is obtained by some algebraic properties of S-box. On the other hand, we obtain following results by the proposal algorithm.

These results are almost the same as the previous result (Eq.(18)).


15

However, 16th order integral distinguisher is more advantageous for the attackers, since it needs far less chosen planitexts. RECTANGLE: Designers of RECTANGLE showed following 56th order integral distinguisher

[10].

The result is derived as an extension of 1st order integral distinguisher. On the other hand, we obtain following results by the proposal algorithm.

where {23 + 4i mod 64, 39 + 4i mod 64} denotes 62 bits are balanced other than 2 bits calculated by substituting i. These results are more advantageous results than the previous result (Eq.(20)), since the number of rounds which balanced bits exist and one of balanced bits increase. 7. CONCLUSION

Designers of block ciphers must consider upper bound of integral distinguisher to decide the security margin of ciphers. There is a possibility that the number of rounds to be attacked increases by upper bound of integral distinguisher. Even if it is not, it can be less difficult to guess all of the secret keys. Therefore, the designers need to consider such vulnerabilities and select stronger cipher function and key schedule. Especially in light-weight block cipher, necessary security margin of cipher function must be obtained, since there must be trade-off between fastness and security. Acknowledgment This work was supported by JSPS KAKENHI Grant Number 24560491. References

[1] A. Bogdanov, L. Knudsen, G. Leander, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: An ultra-lightweight block cipher,” in Cryptographic Hardware and Embedded Systems - CHES 2007, ser. Lecture Notes in Computer Science, P. Paillier and I. Verbauwhede, Eds. Springer Berlin Heidelberg, 2007, vol. 4727, pp. 450–466. [Online]. Available: http://dx.doi.org/10.1007/978-3-540-74735-2 31

[2] L. Knudsen, “CLEFIA,” in Encyclopedia of Cryptography and Security, H. van Tilborg and S. Jajodia, Eds. Springer US, 2011, pp. 210–211. [Online]. Available: http://dx.doi.org/10.1007/978-1-4419-5906-5 561


16

[3] D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B.-S. Koo, C. Lee, D. Chang, J. Lee, K. Jeong, H. Kim, J. Kim, and S. Chee, “HIGHT: A new block cipher suitable for low-resource device,” in Cryptographic Hardware and Embedded Systems - CHES 2006, ser. Lecture Notes in Computer Science, L. Goubin and M. Matsui, Eds. Springer Berlin Heidelberg, 2006, vol. 4249, pp. 46–59. [Online]. Available: http://dx.doi.org/10.1007/11894063 4

[4] Z. Gong, S. Nikova, and Y. Law, “KLEIN: A new family of lightweight block ciphers,” in RFID. Security and Privacy, ser. Lecture Notes in Computer Science, A. Juels and C. Paar, Eds. Springer Berlin Heidelberg, 2012, vol. 7055, pp. 1–18. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-25286-0 1

[5] W. Wu and L. Zhang, “LBlock: A lightweight block cipher,” in Applied Cryptography and Network Security, ser. Lecture Notes in Computer Science, J. Lopez and G. Tsudik, Eds. Springer Berlin Heidelberg, 2011, vol. 6715, pp. 327–344. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-21554-4 19

[6] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, “Piccolo: an ultra-lightweight blockcipher,” in Cryptographic Hardware and Embedded Systems-CHES 2011. Springer, 2011, pp. 342–357.

[7] J. Guo, T. Peyrin, A. Poschmann, and M. Robshaw, “The LED block cipher,” in Cryptographic Hardware and Embedded Systems - CHES 2011, ser. Lecture Notes in Computer Science, B. Preneel and T. Takagi, Eds. Springer Berlin Heidelberg, 2011, vol. 6917, pp. 326–341. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-23951-9 22

[8] T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, “TWINE: A lightweight block cipher for multiple platforms,” in Selected Areas in Cryptography, ser. Lecture Notes in Computer Science, L. Knudsen and H. Wu, Eds. Springer Berlin Heidelberg, 2013, vol. 7707, pp. 339–354. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-35999-6 22

[9] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers.” IACR Cryptology ePrint Archive, vol. 2013, p. 404, 2013.

[10] W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, and I. Verbauwhede, “RECTANGLE: A bit-slice ultra-lightweight block cipher suitable for multiple platforms,” Cryptology ePrint Archive, Report 2014/084, 2014. [Online]. Available: http://eprint.iacr.org/

[11] J. Daemen, L. Knudsen, and V. Rijmen, “The block cipher Square,” in Fast Software Encryption, ser. Lecture Notes in Computer Science, E. Biham, Ed. Springer Berlin Heidelberg, 1997, vol. 1267, pp. 149–165. [Online]. Available: http://dx.doi.org/10.1007/BFb0052343

[12] L. Knudsen and D. Wagner, “Integral cryptanalysis,” in Fast Software Encryption, ser. Lecture Notes

in Computer Science, J. Daemen and V. Rijmen, Eds. Springer Berlin Heidelberg, 2002, vol. 2365, pp. 112–127. [Online]. Available: http://dx.doi.org/10.1007/3-540-45661-9 9

[13] M. Matsui, “New block encryption algorithm MISTY,” in Fast Software Encryption, ser. Lecture Notes in Computer Science, E. Biham, Ed. Springer Berlin Heidelberg, 1997, vol. 1267, pp. 54–68. [Online]. Available: http://dx.doi.org/10.1007/BFb0052334

[14] Y. Todo, “Integral cryptanalysis on full MISTY1,” in Advances in Cryptology – CRYPTO 2015, ser. Lecture Notes in Computer Science, R. Gennaro and M. Robshaw, Eds. Springer Berlin Heidelberg, 2015, vol. 9215, pp. 413–432. [Online]. Available: http://dx.doi.org/10.1007/978-3-662-47989-6 20

[15] Q. Wang, Z. Liu, K. Varıcı, Y. Sasaki, V. Rijmen, and Y. Todo, “Cryptanalysis of reduced-round simon32 and simon48,” in Progress in Cryptology–INDOCRYPT 2014. Springer, 2014, pp. 143–160.

[16] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting, “Improved cryptanalysis of Rijndael,” in Fast Software Encryption, ser. Lecture Notes in Computer Science, G. Goos, J. Hartmanis, J. van Leeuwen, and B. Schneier, Eds. Springer Berlin Heidelberg, 2001, vol. 1978, pp. 213–230. [Online]. Available: http://dx.doi.org/10.1007/3-540-44706-7 15

[17] Sony Corporation, “The 128-bit blockcipher CLEFIA security and performance evaluations revision 1.0,” http://www.sony.net/Products/cryptography/clefia/download/data/clefia/eval/ 1.0.pdf, 2007.

[18] N. Shibayama and T. Kaneko, “New higher order differential property of TWINE,” in Sym-posium on Cryptography and Information Security, SCIS2015,1D2-2, 2015.

[19] R. Benadjila, J. Guo, V. Lomne,´ and T. Peyrin, “Implementing lightweight block ciphers on x86 architectures,” in Selected Areas in Cryptography–SAC 2013. Springer, 2014, pp. 324–351.

[20] P. Zhang, B. Sun, and C. Li, “Saturation attack on the block cipher HIGHT,” in Cryptology and Network Security, ser. Lecture Notes in Computer Science, J. Garay, A. Miyaji, and A. Otsuka, Eds. Springer Berlin Heidelberg, 2009, vol. 5888, pp. 76–86. [Online]. Available:


17

http://dx.doi.org/10.1007/978-3-642-10433-6 6 [21] N. Shibayama and T. Kaneko, “A new higher order differential of LBlock,” in Information Theory

and its Applications (ISITA), 2014 International Symposium on. IEEE, 2014, pp. 488– 492. [22] S. Wu and M. Wang, “Integral attacks on reduced-round PRESENT,” in Information and

Communications Security, ser. Lecture Notes in Computer Science, S. Qing, J. Zhou, and D. Liu, Eds. Springer International Publishing, 2013, vol. 8233, pp. 331–345. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-02726-5 24

security evaluation of light-weight block ciphers by gpgpu

Education